Bug 1732428 - cacert.p12 fails to get imported.
Summary: cacert.p12 fails to get imported.
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.1
Assignee: Christian Heimes
QA Contact: ipa-qe
Depends On:
Blocks: 1727835
TreeView+ depends on / blocked
Reported: 2019-07-23 11:18 UTC by Christian Heimes
Modified: 2019-12-19 10:45 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Christian Heimes 2019-07-23 11:18:48 UTC
This bug was initially created as a copy of Bug #1727835

I am copying this bug because: 
IPA is going to change the pki config template as workaround.

Description of problem: cacert.p12 fails to get imported.

Version-Release number of selected component (if applicable):

How reproducible: Always

Steps to Reproduce:
1. Install IPA server. Ensure cacert.p12 file is present
2. Try to import the file using the pki command.

#pki -v -d  /tmp/test -c Secret123 -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123

Actual results:
[root@ipa ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.1 Beta (Ootpa)

[root@ipa test]# pki -v -d  /tmp/test -c Secret123 -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
PKI options: -v -d /tmp/test -c Secret123
PKI command: 8080 -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/test -c Secret123 --verbose -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
Server URL: http://ipa.example.test:8080
NSS database: /tmp/test
Message format: null
Command: client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
Module: client
Module: cert-import
Importing certificates from /root/cacert.p12.
External command: /usr/bin/pk12util -d /tmp/test -k /tmp/pki-client-cert-import-4556096729051108750.nssdb-pwd -i /root/cacert.p12 -w /tmp/pki-client-cert-import-1914323035172484393.pkcs12-pwd
java.lang.Exception: Unable to import PKCS #12 file
        at com.netscape.cmstools.client.ClientCertImportCLI.importPKCS12(ClientCertImportCLI.java:490)
        at com.netscape.cmstools.client.ClientCertImportCLI.execute(ClientCertImportCLI.java:231)
        at org.dogtagpki.cli.CLI.execute(CLI.java:345)
        at org.dogtagpki.cli.CLI.execute(CLI.java:345)
        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:667)
        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:703)
Caused by: org.dogtagpki.cli.CLIException: External command failed. RC: 18
        at org.dogtagpki.cli.CLI.runExternal(CLI.java:386)
        at org.dogtagpki.cli.CLI.runExternal(CLI.java:358)
        at com.netscape.cmstools.client.ClientCertImportCLI.importPKCS12(ClientCertImportCLI.java:488)
        ... 5 more
ERROR: Command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/test -c Secret123 --verbose -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123

Expected results: The cacert.p12 file should get imported. It works in RHEL7.7

Additional info: Attaching the logs for reference.

Comment 3 Christian Heimes 2019-09-18 08:06:56 UTC
Moving to 8.2

In #1727835 Endi recommended to disable pki_backup_keys and suggested to use PKCS12Export to backup the NSSDB after installation instead:

    $ PKCS12Export -d /etc/pki/pki-tomcat/alias -p password.txt -o /root/cacert.p12 -w password.txt

Note You need to log in before you can comment on or make changes to this bug.